In The Claims 

The listing of claims will replace all prior versions, and listings, of claims in the 
application. Applicants hereby amend claims 2, 4, 19, 26, 30-35, 42 and 43. 



7 1 . (Original) A method of examining a network, including; 

2 identifying an operating system of a remote host, including a version and a 

3 patch level of the operating system; 

4 identifying a service of the remote host, including a version and a patch level 

5 of the service; and 

6 identifying a vulnerability of the network based on information obtained from 

7 the steps of identifying an operating system and identifying a service. 

/ 2. (Currently Amended) The method of claim 1, wherein: 

2 the step of identifying an operating system includes sending a first set of 

3 packets to the remote host and receiving a second set of packets from 

4 the remote host in response to said first set of packets , and analyzing 

5 the second set of packets for inferential information indicative of the 

6 operating system ; 

7 the step of identifying a service includes sending a third set of packets to the 

8 remote host and receiving a fourth set of packets from the remote host 

9 in response to said third set of packets, wherein information contained 
10 in said third set of packets is based on information received in said 

77 second set of packets , and analyzing the fourth set of packets for 

72 inferential information indicative of the service ; and 

13 the step of identifying a vulnerability includes comparing information 

14 contained in the second set of packets and the fourth set of packets to 

15 preexisting vulnerability information in a database. 

7 3. (Original) The method of claim 1, wherein the step of identifying 

2 an operating system includes sending three sets of packets to the remote host and 

3 receiving three respective sets of responsive packets from the remote host. 
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7 4. (Currently Amended) A method of examining a network, 

2 including: 

3 nonintrusively and reliably identifying an operating system of a remote host 

4 including identifying a version of the operating system based on 

5 inferential information received from the remote host ; 
* — 

6 nonintrusively and reliably identifying a service of the remote host including 

7 identifying a version of the service based on inferential information 

8 received from the remote host . 

7 5. (Original) The method of claim 4, further including: 

2 identifying a vulnerability of the network. 

7 6. (Original) The method of claim 4, further including: 

2 identifying a trojan application on the host. 

/ 7. (Original) The method of claim 4, further including: 

2 identifying unauthorized software use on the host. 

1 8. (Original) The method of claim 4, further including: 

2 identifying security policy violations on the network. 

7 9. (Previously Presented) The method of claim 4, wherein: 

2 the step of identifying an operating system further includes identifying a patch 

3 level of the operating system; and 

4 the step of identifying a service further includes identifying a patch level of 

5 the service. 

7 10. (Original) The method of claim 4, wherein the steps of identifying 

2 an operating system and identifying a service each includes: 

3 sending a selected packet to the remote host; 

4 receiving from the remote host a reflexive responsive packet. 
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1 11. (Previously Presented) The method of claim 4, wherein the steps 

2 of identifying an operating system and identifying a service each includes: 

3 sending a plurality of selected packets to the remote host; and 

4 receiving from the remote host a plurality of reflexive responsive packets. 

1 12, (Previously Presented) The method of claim 4, wherein: 

2 the step of identifying an operating system includes sending a first set of 

3 packets to the remote host and receiving a second set of packets from 

4 the remote host in response to said first set of packets; and 

5 the step of identifying a service includes sending a third set of packets to the 

6 remote host and receiving a fourth set of packets from the remote host 

7 in response to said third set of packets. 

1 13. (Original) A method of examining a network, including: 

2 identifying an operating system of a remote host including identifying a 

3 version of the operating system; 

4 identifying a service of the remote host including identifying a version of the 

5 service, and 

6 identifying a vulnerability of the network. 

1 14. (Original) The method of claim 13, wherein: 

2 the step of identifying a vulnerability includes using information obtained 

3 from the steps of identifying an operating system and identifying a 

4 service to identify the vulnerability. 

1 15. (Previously Presented) The method of claim 13, wherein: 

2 the step of identifying an operating system further includes identifying a patch 

3 level of the operating system; and 

4 the step of identifying a service includes identifying a patch level of the 

5 service. 
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7 16. (Currently Amended) The method of claim 13, wherein the steps 

2 of identifying an operating system, identifying a service, and identifying a vulnerability 

3 each includes: 

4 sending a selected packet to the remote host; and 

5 receiving from the remote host a reflexive responsive packet. 

7 17. (Previously Presented) The method of claim 13, wherein: 

2 the step of identifying an operating system includes sending a first set of 

3 packets to the remote host and receiving a second set of packets from 

4 the remote host in response to said first set of packets; 

5 the step of identifying a service includes sending a third set of packets to the 

6 remote host and receiving a fourth set of packets from the remote host 

7 in response to said third set of packets; and 

8 the step of identifying a vulnerability includes comparing information 

9 contained in the second set of packets and the fourth set of packets to 
10 information in a database. 

7 18. (Previously Presented) The method of claim 17, wherein: 

2 information contained in said third set of packets is based on information 

3 received in said second set of packets; and 

4 information contained in said fifth set of packets is based on information 

5 received in said fourth set of packets. 

7 19. (Currently Amended) A method of examining a network, 

2 including: 

3 sending a set of selected packets to a remote host on the network; 

4 receiving from the remote host a set of reflexive responsive packets; and 

5 identifying conditions of the remote host by using inferential information 

6 received in the reflexive responsive packets, wherein the conditions 

7 include an operating system of the host, and a service of the host. 
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/ 20. (Original) The method of claim 19, wherein the conditions further 

2 include a vulnerability of the host. 

7 21 . (Original) The method of claim 19, wherein the conditions further 

2 include the presence of unauthorized software. 

7 22. (Original) The method of claim 19, wherein the conditions include 

2 the presence of a trojan application. 

7 23. (Currently Amended) The method of claim 19, wherein: 

2 identifying an operating system includes identifying a version; and 

3 identifying a service includes identifying a version. 

7 24. (Currently Amended) The method of claim 19, wherein: 

2 identifying an operating system includes identifying a version and a patch 

3 level; and 

4 identifying a service includes identifying a version and a patch level. 

7 25. (Previously Presented) The method of claim 19, wherein 

2 the step of sending a set of selected packets to a host on the network includes 

3 sending a plurality of sets of packets to the host; and 

4 the step of receiving from the remote host a set of reflexive responsive packets 

5 includes receiving a like plurality of sets of reflexive responsive 

6 packets. 

7 26. (Currently Amended) A method of detecting a vulnerability of a 

2 network, comprising: 

3 sending a first set of test packets a first set of selected pack e ts to a remote host 

4 on the network; 

5 receiving a second s e t of a first set of reflexive packets from the remote host 

6 in response to the first set of test packets; 
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7 sending a second set of test packets a third s e t of s e l e ct e d pack e ts to a the_ 

8 remote host on the network, wherein information contained in the first 

9 set of test packets th e third s e t of pack e ts is based on inferential 

10 information contained in the first set of reflexive second s e t of packets; 

11 receiving a fourth set of a second set of reflexive packets from the remote host 

12 in response to the second set of test packets th e third s e t of pack e ts ; 

13 s e nding a fifth s et of s e l e ct e d pack e ts to a host on th e n e twork, wh e r e in 

14 information contain e d in th e fifth s e t of pack e ts is bas e d on infer e ntial 

15 information contain e d in th e fourth s e t of pack e ts; 

16 r e c e iving a sixth se t of pack e ts from th e r e mot e host in respons e to th e fifth 

17 s e t of pack e ts; 

18 based on inferential information contained in the first set of reflexive packets 

19 th e s e cond, and fourth, and sixth s e t of pack e ts , identifying a an 

20 operating system of a the remote host on th e n e twork , including a 

21 version and a patch level ; and 

22 based on inferential information contained in the second set of reflexive 

23 packets, identifying a service of the remote host, including a version 

24 and a patch level . 

1 27. (Currently Amended) The method of claim 26, further including: 

2 sending a seventh set of selected packets to a host on the network; 

3 receiving an eighth set of packets from the remote host in response to the 

4 seventh set of packets; 

5 sending a ninth set of selected packets to a host on the network; 

6 receiving a tenth set of packets from the remote host in response to the ninth 

7 set of packets; and 

8 based on information contained in the eight and tenth sets of packets, 

9 identifying a service of a host on the network, including a version and 
10 a patch level. 
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/ 28. (Original) The method of claim 27, further including: 

2 based on information contained in at least the tenth sequence, identifying a 

3 vulnerability. 

/ 29. (Currently Amended) The method of claim 26, wherein: 

2 the first set of packets includes: 

3 a SYN Packet with false flag in the TCP option header; 

4 a Fragmented UPD packet with malformed header (any header 

5 inconsistency is sufficient), where the packet is 8K in size; 

6 a FIN Packets of a selected variable size or a FIN packet without the 

7 ACK or SYN flag properly set; and 

8 a generic, well-formed ICMP ECHO request packet; 

9 the third set of packets includes: 

10 a generic well-formed TCP Header set to 1024 bytes in size; 

11 a Packet requesting an ICMP Timestamp; 

12 a Packet with min/max segment size set to a selected variable value; 

13 and 

14 a UPD packet with the fragment bit set; 
75 the fifth set of packets includes: 

16 a TCP Packet with the header and options set incorrectly; 

1 7 a well-formed ICMP Packet; 

18 a Fragmented TCP or UPD packet; 

19 a packet with an empty TCP window or a window set to zero; 

20 a generic TCP Packet with 8K of random data; and 

21 a SYN Packet with ACK and RST flags set. 

/ 30. (Currently Amended) A method of examining a network, 

2 comprising: 

3 sending a plurality of packets to a host on the network; 

4 receiving a responsive plurality of packets from the host n e twork ; 



U.S. Serial No. 09/648,211 



8 of 19 



Case 6895 (Amd. B) 
23327/06895/DOCS/1446612. 1 



5 comparing inferential information in the responsive packets to information 

6 stored in a database; and 

7 based on the comparison, identifying a plurality of network conditions, 

8 including a vulnerability of the network. 

1 31. (Currently Amended) A method of examining a network, 

2 comprising: 

3 sending packets to a host on the network; 

4 receiving responsive packets from the host n e twork ; 

5 comparing inferential information in the responsive packets to information 

6 stored in a database; and 

7 based on the comparison, identifying a trojan application on the network. 

/ 32. (Currently Amended) A method of examining a network, 

2 comprising: 

3 sending packets to a host on the network; 

4 receiving responsive packets from the host n e twork ; 

5 comparing inferential information in the responsive packets to information 

6 stored in a database; and 

7 based on the comparison, identifying unauthorized software use on the 

8 network. 

/ 33. (Currently Amended) A method of examining a network, 

2 comprising: 

3 sending packets to a host on the network; 

4 receiving responsive packets from the host n e twork ; 

5 comparing inferential information in the responsive packets to information 

6 stored in a database; and 

7 based on the comparison, inferring an unknown vulnerability. 
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7 34. (Currently Amended) A method of examining a network, 

2 comprising: 

3 sending packets to a host on the network; 

4 receiving responsive packets from the host n e twork ; 

5 comparing inferential information in the responsive packets to information 

6 stored in a database; and 

7 based on the comparison, identifying a security policy violation. 

7 35. (Currently Amended) A system for examining a network, 

2 comprising: 

3 a database including a set of reflex signatures; 

4 a packet generator; 

5 a comparison unit in communication with the packet generator and the 

6 database; 

7 wherein the packet generator is designed to generate and transmit a plurality 

8 of test packets to the network; and 

9 wherein the comparison unit is designed to receive responsive packets from 
10 the network and to compare responsiv e pack e t inferential information 
7 ; from with the reflex signatures. 

7 36. (Original) The system of claim 35, wherein the comparison unit is 

2 further designed to identify a vulnerability in the network based on its comparison of 

3 packet information with reflex signatures. 

7 37. (Original) The system of claim 35, wherein the comparison unit is 

2 further designed to identify an operating system type, version, and patch level and a 

3 service type, version, and patch level of a host on the network. 

7 38. (Original) The system of claim 35, wherein the comparison unit is 

2 designed to provide information to the packet generator, and wherein the packet 

3 generator is designed to use the information to selectively generate packets. 
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/ 39. (Original) A computer readable medium, having instructions 

2 stored therein, which, when executed by a computer, causes the computer to perform the 

3 steps of: 

4 identifying an operating system of a remote host, including a version of the 

5 operating system; 

6 identifying a service on the port and a service of the remote host, including a 

7 version of the service; and 

8 identifying a vulnerability of the network based on information obtained from 

9 the steps of identifying an operating system and identifying a service. 

1 40. (Original) The computer readable medium of claim 39, wherein: 

2 the instructions for identifying an operating system further include 

3 instructions for identifying a patch level of the operating system; and 

4 the instructions for identifying a service further include instructions for 

5 identifying a patch level of the service. 

1 41. (Previously Presented) The computer readable medium of claim 

2 39, wherein: 

3 the step of identifying an operating system includes sending a first set of 

4 packets to the remote host and receiving a second set of packets from 

5 the remote host in response to said first set of packets; 

6 the step of identifying a service includes sending a third set of packets to the 

7 remote host and receiving a fourth set of packets from the remote host 

8 in response to said third set of packets, wherein information contained 

9 in said third set of packets is based on information received in said 

10 second set of packets; and 

11 the step of identifying a vulnerability includes comparing information 

12 contained in the second sequence of packets and the fourth sequence 

13 of packets to information in a database. 
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7 42. (Currently Amended) A method for use by a host on a network, 

2 comprising: 

3 receiving a set of selected packets from remote equipment; and 

4 automatically sending a second set of packets to said remote equipment, 

5 which packets includ e the second set of packets including inferential 

6 information that enables the remote equipment to identify a 

7 vulnerability on the network. 

7 43. (Currently Amended) A method for use by a host on a network, 

2 comprising: 

3 receiving a first set of test packets a first s e t of packets from remote 

4 equipment; 

5 automatically sending a s e cond s e t of a first set of reflexive packets to said 

6 remote equipment , the first set of reflexive packets containing 

7 information generated according to a Request For Comment (RFC) 

8 protocol and indicative of an operating system, including a version and 

9 patch level ; 

10 receiving a first test packet a third s e t of pack e ts from remote equipment; 

7 1 automatically sending a third s e t of a second set of reflexive packets to said 

1 2 remote equipment , the second set of reflexive packets containing 

13 information generated according to a Request For Comment (RFC) 

14 protocol and indicative of a service, including a version and patch 
75 level ; 

16 rec e iving a fifth s e t of pack e ts from th e remote e quipm e nt; 

77 automatically s e nding a sixth s e t of pack e ts from th e r e mot e e quipment; 

18 receiving a se v e nth s e t of pack e ts from r e mot e e quipm e nt; 

19 automatically s e nding an e ighth set of pack e ts from th e r e mote e quipm e nt; 

20 r e c e iving a ninth s e t of pack e ts from the remot e e quipment; and 

21 automatically s e nding a tenth s e t of pack e ts from the remot e e quipm e nt; 
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22 wherein said s e cond, fourth, and sixth s e ts of packets the first set of reflexive 

23 packets includes information that enables the remote equipment to 

24 identify an the operating system on the host n e twork , including a 

25 version and a patch level; 

26 wherein said e ighth and t e nth sots of pack e ts the second set of reflexive 

27 packets includes information that enables the remote equipment to 

28 identify a the service on the host, including a version and a patch level. 

7 44. (Previously Presented) A method of examining a network, 

2 including: 

3 identifying an operating system of a remote host, including a version and a 

4 patch level of the operating system with a first set of packets, the first 

5 set of packets comprising an operating system packet to determine the 

6 operating system, an operating system version packet to determine the 

7 operating system version based on the determined operating system, 

8 and an operating system patch level packet to determine the operating 

9 system patch level based on the determined operating system version; 
10 identifying a service of the remote host, including a version and a patch level 
77 of the service with a second set of packets based on at least one of the 

12 first set of packets, the first set of packets comprising a service packet 

13 to determine the service, a service version packet to determine the 

14 service version based on the determined service, and a service patch 

15 level packet to determine the service patch level based on the 

16 determined service version; and 

7 7 identifying a vulnerability of the network based on information obtained from 
18 the steps of identifying an operating system and identifying a service. 
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45. (Previously Presented) A method of examining a network, 



including: 

identifying an operating system of a remote host, including a version and a 
patch level of the operating system, with responses to nonconforming 
data packets; 

identifying a service of the remote host, including a version and a patch level 
of the service with responses to nonconforming data packets; and 

identifying a vulnerability of the network based on information obtained from 
the steps of identifying an operating system and identifying a service. 
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